User eertificate error when connecting

‎02-14-201306:21 PM

Hi All,

Thanks before hand for reading/helping on the following:

I have a deployed a comp-user cert scenario validation (windows 7 - Aruba controller - NPS) and does work fine when comp validates itself using comp cert (before login)The issue starts when client send user details. The following its some of tog entry that Im able to paste for your perusal

I'd like to mention that I have deployed comp-user cert scenario in my LAB (only Windows default policies) and works fine. Replicating same scenario in PROD produces de above (btw, PROD environment uses lots more AD policies)

No logs in NPS regards user logging attempts. Looking at Aruba auth-trace-buff, client did not respond to eap-id request. We were unable to enable local event logger in client due to group policy restrictions.

Config extract

!machine and user role set to allow all only for testing

!

user-role sh-corp-machine-role

access-list session allowall

!

!

user-role sh-corp-user-role

access-list session allowall

!

!

aaa server-group "PROD-NPS-Server Group"

allow-fail-through

auth-server "PROD-NPS-radius server"

!

aaa profile "corp-aaa_prof"

mac-default-role "logon"

authentication-dot1x "NPS-corp-802.1x-authprofile"

dot1x-server-group "PROD-NPS-Server Group"

radius-accounting "PROD-NPS-Server Group"

!

! termination on controller un-ticked.

!

aaa authentication dot1x "NPS-corp-802.1x-authprofile"

machine-authentication enable

machine-authentication machine-default-role "sh-corp-machine-role"

machine-authentication user-default-role "sh-corp-user-role"

timer idrequest_period 5

server server-retry-period 5

termination eap-type eap-tls

! only wpa2-aes selected

!

wlan ssid-profile "corp-ssid_prof"

essid "ssid-corp"

opmode wpa2-aes

!

!

wlan virtual-ap "corp-vap_prof"

aaa-profile "corp-aaa_prof"

ssid-profile "corp-ssid_prof"

vlan 101

dos-prevention

band-steering

!

(some of the "names" were modified intentionally to prevent security disclose)